Systems, methods and devices for secure data storage with wireless authentication

ABSTRACT

A secure data storage device with wireless authentication is provided. The described data storage device is wirelessly unlocked using another wireless device. The secure data storage device interoperates with a cloud server for configuring and managing the data storage device.

RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.15/475,343 filed Mar. 31, 2017, which claims priority to U.S. patentapplication No. 62/316,646 filed Apr. 1, 2016.

TECHNICAL FIELD

The present disclosure relates generally to secure data storage devices.More specifically, this disclosure relates to embodiments of secure datastorage devices with wireless authentication.

BACKGROUND

There is growing demand for portable storage devices and solutions.There is interest in increased storage capacity, but also for improvedfile security.

Examples of portable storage devices include hard drives, thumb drivesand other devices with access to cloud storage. The most common form ofprotection for storage media is password authentication. Cloud storageusing password protection requires users to log into a specific websiteor install proprietary software on the host which authenticates with thecloud server. Thumb drives typically use proprietary software which mustbe installed on the host system. In each case, the proprietary softwareis additional software required to be installed on the host device forthe purpose of authentication at the particular secure data storagedevice.

Proprietary software on the host system may be compromised by malicioususers through OS or browser exploits, viruses, trojans, key loggers, andmany other forms of intrusions known to those specializing in security.Cloud storage and the current secure thumb drives are also vulnerable toa wide range of attacks.

SUMMARY

In one aspect, a wireless secure data storage device is provided, thedevice comprising: a data store connected to one or more interfaces fortransferring data from the data store; a processing unit; an electronicswitch; one or more wireless communication components coupled to theprocessing unit for communicating with a host device for obtainingauthentication data; and a location sensor for determining the locationof the wireless secure data storage device based on an additionaldevice; wherein the electronic switch and the processing unit cooperateto switch the device between a closed state, where data cannot beaccessed from the data store through the one or more interfaces, to anopen state, where data can be accessed from the data store through theone or more interfaces, upon the processing unit matching obtainedauthentication data to a stored secret key and the location sensordetermining that the wireless secure data storage device is within apredetermined range.

In another aspect, a method is provided of authenticating a user to awireless secure data storage device comprising a data store connected toone or more interfaces, a processing unit, an electronic switch, one ormore wireless communication components coupled to the processing unit,and a location sensor for determining the location of the wirelesssecure data storage device based on an additional device, the methodcomprising: obtaining, by the one or more wireless communicationcomponents, authentication data from a host device; matching, by theprocessing unit, the authentication data to a stored secret key;determining, by the location sensor, that the wireless secure datastorage device is within a predetermined range; and switching, by theprocessing unit and the electronic switch, the device from a closedstate, where data cannot be accessed from the data store through the oneor more interfaces, to an open state, where data can be accessed fromthe data store through the one or more interfaces.

These and other aspects are contemplated and described herein. It willbe appreciated that the foregoing summary sets out representativeaspects of systems, methods and devices for secure data storage toassist skilled readers in understanding the following detaileddescription.

BRIEF DESCRIPTION OF THE DRAWINGS

The features of the invention will become more apparent in the followingdetailed description in which reference is made to the appended drawingswherein:

FIG. 1A is a block diagram of an embodiment of a wireless secure datastorage drive (“WSDSD”) of the present invention.

FIG. 1B shows a block diagram of a representative implementation of theWSDSD where the CPU, controller, and one or more memory devices arecombined in a single chip.

FIG. 1C shows a block diagram of another representative implementationof the WSDSD, where the data storage device contains a rechargeablebattery able to power the device when not connected to an interface.

FIG. 1D is a block diagram of another representative implementation ofthe WSDSD, in a particular embodiment where the CPU, a controller, oneor more memory devices, a power module and one or more radiotransceiver(s) are combined into a single chip.

FIG. 1E shows a block diagram of another representative implementationof the WSDSD, containing a cellular module and further a GPS module forgeolocation as well as an inertial measurement device for anti-theft,unauthorized movement of the device, fall detection and otherinformation that may be gathered from inertial sensors.

FIG. 2 shows a block diagram representing a system for secure storage,where a cloud server communicates with smart devices implementing thedata storage functions of the present invention in order to changesettings for the wireless secure data storage drive.

FIG. 3 shows a method of using a WSDSD.

FIG. 4 is a block diagram illustrating another embodiment of inventionWSDSD that utilizes a hardware key protocol used as a hardwareauthenticator for the present invention.

FIG. 5 shows a block diagram of a system for secure storage comprising aplurality of wireless secure data storage devices of the inventionforming a network and communicating with the cloud server.

DETAILED DESCRIPTION

Embodiments will now be described with reference to the figures. Forsimplicity and clarity of illustration, where considered appropriate,reference numerals may be repeated among the Figures to indicatecorresponding or analogous elements. In addition, numerous specificdetails are set forth in order to provide a thorough understanding ofthe embodiments described herein. However, it will be understood bythose of ordinary skill in the art that the embodiments described hereinmay be practiced without these specific details. In other instances,well-known methods, procedures and components have not been described indetail so as not to obscure the embodiments described herein. Also, thedescription is not to be considered as limiting the scope of theembodiments described herein.

Various terms used throughout the present description may be read andunderstood as follows, unless the context indicates otherwise: “or” asused throughout is inclusive, as though written “and/or”; singulararticles and pronouns as used throughout include their plural forms, andvice versa; similarly, gendered pronouns include their counterpartpronouns so that pronouns should not be understood as limiting anythingdescribed herein to use, implementation, performance, etc. by a singlegender; “exemplary” should be understood as “illustrative” or“exemplifying” and not necessarily as “preferred” over otherembodiments. Further definitions for terms may be set out herein; thesemay apply to prior and subsequent instances of those terms, as will beunderstood from a reading of the present description.

Any module, unit, component, server, computer, terminal, engine ordevice exemplified herein that executes instructions may include orotherwise have access to computer readable media such as storage media,computer storage media, or data storage devices (removable and/ornon-removable) such as, for example, magnetic disks, optical disks, ortape. Computer storage media may include volatile and non-volatile,removable and non-removable media implemented in any method ortechnology for storage of information, such as computer readableinstructions, data structures, program modules, or other data. Examplesof computer storage media include RAM, ROM, EEPROM, flash memory orother memory technology, CD-ROM, digital versatile disks (DVD) or otheroptical storage, magnetic cassettes, magnetic tape, magnetic diskstorage or other magnetic storage devices, or any other medium which canbe used to store the desired information and which can be accessed by anapplication, module, or both. Any such computer storage media may bepart of the device or accessible or connectable thereto. Further, unlessthe context clearly indicates otherwise, any processor or controller setout herein may be implemented as a singular processor or as a pluralityof processors. The plurality of processors may be arrayed ordistributed, and any processing function referred to herein may becarried out by one or by a plurality of processors, even though a singleprocessor may be exemplified. Any method, application or module hereindescribed may be implemented using computer readable/executableinstructions that may be stored or otherwise held by such computerreadable media and executed by the one or more processors.

In one aspect, in the following, embodiments of a wireless secure datastorage drive (“WSDSD”) are provided wherein the device can be unlockedvia a wireless connection with a host device. More particularly, inembodiments the WSDSD comprises one or more data stores connected to oneor more data transfer interfaces, an electronic switch, a wirelesscommunication component and a processing unit (which comprises a datastore controller and a CPU). The electronic switch couples the one ormore data stores and the processing unit. The processing unit isconfigured to trigger the electronic switch to unlock the one or moredata stores for communication of stored data to a user via the one ormore interfaces (wired or wirelessly) upon the device wirelesslyreceiving correct authentication information from the host device viathe wireless communication component. In various embodiments, at leastthe electronic switch, processing unit and one or more data stores arecombined on a single integrated circuit (“IC”) chip to minimize the riskof tampering.

In another aspect of the invention, a data storage device is providedwith enhanced security features based on integrated wireless features,examples of which are described below.

In another aspect of the present invention, the data storage deviceincludes integrated encryption features.

In another aspect of the invention, the data storage device alsoincludes a novel security feature using wireless signal strength as aproximity sensor, as further explained below.

In the paragraphs that follow, various embodiments of the WSDSD andassociated systems will be described, before being described withreference to the drawings.

Particular embodiments of the WSDSD for wireless authentication of auser will now be described.

In one aspect of the invention, a data storage device is provided thatis configured for wireless authentication. The data storage device maybe disposed as a flash drive (i.e. with flash storage and a USBinterface).

Secure data storage devices typically require authentication in order toaccess stored data. Authentication, as previously stated involves userauthentication. In the case of authentication of a small data storagedevices (such as flash drive), which may not on its own enable userauthentication, software and/or devices often need to be installed on acomputer associated with the data storage device, such as a desktopcomputer or laptop computer. This generally then requires that suchsoftware interoperate with the operating system resident on such desktopcomputer or laptop computer, which in turn renders the solution subjectto the vulnerabilities inherent to such operating system.

There is a need to mitigate such vulnerabilities, and further it isuseful to be able to use a mobile device such as a smart phone or tabletcomputer (which most users have on hand) as the means for providingauthentication of the user to the data storage device.

In one aspect of the invention, a plurality of embodiments are providedfor a wireless secure data storage device that incorporatesfunctionality for wireless authentication of the data storage device,using a mobile device. The wireless secure data storage device includescomponents (described below) and proprietary software that enables thewireless secure data storage device to connect to a mobile device toauthenticate a user associated with both the mobile device and thewireless secure data storage device. This mobile device, used toauthenticate the wireless secure data storage device may also bereferred to as the “host device”.

As explained below, it is desirable and convenient that the host deviceconsists of a mobile device, such as a smart phone or a tablet computer,however, in some implementations or use cases it may be desirable that adesktop computer or laptop computer act as a host device.

In one aspect of this embodiment, the host device does not requireinstallation of the proprietary software, and thus vulnerabilities ofthe operating system associated with the host device may be avoided.

In addition, the host device may be used to access various technologiesor methods for authenticating the user, such as fingerprinttechnologies, passwords, pattern recognition, face recognition, voicerecognition and so on. These authentication technologies may beinstalled on the mobile device, part of the mobile device features orsoftware, or may be implemented as peripherals that are connected to themobile device that may utilize computing resources of the mobile device.

The wireless connection now described may be established using aBluetooth or WiFi or WiGig connection for example.

The host device now described is designated for the purpose ofauthenticating the user. The host device and associated identifiers maybe stored in the Cloud Server described later. In one aspect of theinvention, the host device consists of a device associated with a userwho is also authorized to access the wireless secure data storagedevice, but where the host device is separate and apart from thewireless secure data storage device itself. The host device may also bea USB device that is different from the USB device consisting of thewireless secure data storage device itself.

In one aspect of the invention the security feature requiring a wirelessconnection to a host device is implemented using a proprietary programor proprietary computer code. Therefore, use of operating systemsoftware, including a computer operating system (for use on a smartphone or on desktop or laptop computer) is not required for providingthe security features of the present invention. More particularly,additional proprietary authentication software at the host device isstill required if the WSDSD authenticates with a desktop, laptop orsmart device. However, no additional software is required if the deviceunlocks by a GPS unit, a hardware key or another wireless device that isused to authenticate.

One advantage of the ability to authenticate the user by means ofwireless authentication is to avoid the need for cables or physicalconnection to initiate the user authentication process.

In various embodiments, authentication thus occurs at the WSDSD based onauthentication data wirelessly received from the host device. Moreparticularly, the received authentication data may be matched to asecret key (e.g. an alphanumeric key) stored at the device with avariable length used to accomplish the authentication of the user. Forexample a text password, voice, pattern, fingerprint or face recognitioncan all be converted into an alphanumeric key. This secret key will bestored on the WSDSD. When the user tries to authenticate using the hostdevice, the WSDSD compares the received authentication data to thesecret key (which may comprise first converting the authentication datato an alphanumeric form, depending on whether the data is converted atthe host device or WSDSD). If the secret key matches, the user isauthentic and the WSDSD proceeds to unlock the data store(s). The deviceis most secure if the password the user uses is long and has acombination of symbols and alphanumeric characters. For example, if theuser decides to have only a 4 character password with numbers between 0to 9, the authentication becomes less secure as the possibilities of theuser's password are small and can be cracked in a reasonable amount oftime.

Alternatively or additionally to the secret key, there are other ways tofurther restrict the user and authenticate the user. For example,additional data to be matched could include smart device/host devicewireless MAC, IMEI, serial number, and other unique identificationfactors based on the device used to communicate with the WSDSD.

If an encryption scheme is implemented, as described below in variousembodiments, the authentication data, along with any other data sent tothe WSDSD may be sent in encrypted form. In such embodiments, the hostdevice (laptop, desktop, anything with a physical USB device, smartdevice (whether wireless or wired, e.g. using USB/Thunderbolt) sendsencrypted messages to the WSDSD which the WSDSD decrypts according to apublic/private key authentication protocol. In such cryptographicschemes, the private key resides on the WSDSD, while the hostdevice/smart device will receive a public key from the WSDSD which willthen be stored on the said device. All data sent to the WSDSD may thusbe encrypted with the public key and decrypted on the WSDSD with theprivate key. In such embodiments, when the user tries to authenticateusing the smart device/host device, the public key is used to encryptthe whole message, the message is sent to the WSDSD, the WSDSD uses thestored private key to decrypt the message and compares it to its storedsecret key. If the secret key matches, the user is authentic and theWSDSD proceeds to unlock the data store(s).

The foregoing embodiments integrating wireless components in secure datastorage devices will be discussed below more particularly with referenceto the figures.

Embodiments of WSDSDs incorporating both WiFi or WiGig and Bluetoothwireless components will now be described.

In one aspect, embodiments of the wireless secure data storage device ofthe present invention, include both a WiFi or WiGig wireless component(including a WiFi or WiGig configured radio transceiver), and aBluetooth wireless component (including a Bluetooth configured radiotransceiver).

Conventional wireless secure data storage devices may include a WiFi orWiGig wireless component, for example for high speed data transfer butdo not include a Bluetooth wireless component.

In one aspect of the invention, the wireless secure data storage deviceincludes: (A) a WiFi or WiGig wireless component for high speed datatransfer between devices and (B) a Bluetooth wireless component forinteroperating with another device (such as the host device previouslymentioned) to communicate for example battery status, file transferstatus, encryption set up and so on.

Upon successful authentication, the host device will gain access to thedata stored on the WSDSD (e.g. flash device). Using the WiFi or WiGigwireless communication for high speed data transfer, users maymanipulate files on the flash device directly over another wirelessenabled device such as a smartphone, laptop or smart devices such as TV,digital white board, projectors, etc. Users may also stream files forwatching video or playing music without physically having to plug theflash drive in to the host device. The wireless flash drive may alsojoin a typical wireless home/office network in which it may act as abackup drive or network storage. If the wireless network that the flashdrive joined is internet enabled, the drive may serve as a private cloudstorage device in which the user may access files through the CloudServer. Additionally, even when a WiFi or WiGig network connection isnot available, the Bluetooth wireless component enables the support ofsuch features, conveniently, on a wireless basis. Also WiFi networks maynot be trusted for the purpose of the functions described.

The Bluetooth wireless communication range on most phones is typicallymaximum 30 feet however, by reducing the power output of the wirelesscomponent we can reduce that range. Reduced range reduces securityvulnerabilities because wireless sniffers, packet captures, or any othertools known to those skilled in the art of security would have to bewithin wireless range to capture authenticate data to be able to crackthe password. Bluetooth would ensure that only users close to the devicemay authenticate. Bluetooth devices also do not have the ability toconnect to home networks this is particular important in the case wheremalicious software is installed on any of the computer devices withinthe network that could comprise security. Bluetooth may thus be used forauthenticating with the wireless flash drive and accessing features suchas battery status, transfer status, configuring LED and various devicesettings. If the device only had WiFi the user would only be able to doonly one thing at a time for example, start a file transfer (would notbe able to read the status until it's done). The other issue with usingWiFi is that most users have tablets or smart phone that they wish touse with a wireless flash drive. However, many of these users use WiFifor their internet connection, for a smart phone to connect directly tothe flash drive the user would have to disconnect from the internet.This is an undesirable effect for many users. Further, recent tabletsand smart phones typically have both Bluetooth and WiFi and as such bothof these can be enabled at the same time. In this case, Bluetooth wouldbe used for authentication and reading and configuring the flash device.The flash drive's WiFi may be either connected to the users WiFidirectly (which may be undesirable) or connect to the users WiFi networkat which point the user may access the files without disconnecting tothe WiFi internet (if they are connected).

In one aspect, the wireless secure data storage device incorporatesencryption/decryption features in order to enable data transfer in asecure manner. Examples of suitable encryption features for embedding inthe wireless secure data storage device were described above and aredescribed further below more particularly with reference to the figures.

In one aspect of the invention, a wireless data storage device isprovided that includes: a) a CPU, b) a wireless transceiver, c) a powermodule, d) a controller (with flash controller capabilities), e) anelectronic switch, f) one or more memory devices (for example at leastone flash memory), and g) one or more antenna, wherein the wirelesssecure flash drive is configured with one or more wireless interfaces.

In another aspect of the wireless secure data storage device of theinvention, the device and its hardware and firmware components may beprovided in a manner that enables incorporation of security features,and also of tampering counter measures. The embodiments described belowwith reference to the figures enable incorporation of security featuressuch as those required for FIPS-3 or FIPS-4 compliance, while providingthe convenience enabled by the wireless features described.

The incorporation of the wireless features into the data storage deviceof the present invention also can improve security for example byenabling updates to encryption algorithms, and wireless exchange ofencryption keys.

The design for wireless secure data storage device of the invention mayenable the use of third party components for example for the integratedcircuit described in connection with certain of the figures below, whichmay be used to provide functionality similar to a token key.

In another aspect, the electronic switch is connected to the controller,and is configured to close or open access to the flash memory.

The wireless interfaces may include one or more of a USB interface, aSATA interface, a PCI-Express interface, a Bluetooth interface, a WiFiinterface, or a WiGig interface.

In another aspect of the invention, the data storage device isimplemented as a USB device (including the components described), wherethe wireless data storage device does not require additional software onthe host device.

In another aspect of the invention, an embodiment is provided whereinthe WSDSD disposed as a flash drive is provided including the componentsdescribed, and that supports a wireless encrypted communicationmechanism for connecting to a host device consisting of a wirelessdevice such as a smart phone or a tablet computer. In another aspect ofthe present invention, the controller is configured to perform dataencryption/decryption while communication with flash memory is active.

In another implementation of the data storage device, the CPU is coupledwith the wireless transceiver to provide bi-directional secureauthentication with an external wireless device.

In another aspect of the invention, the flash drive embodiment isconfigured to permit data exchange with the external wireless device.The flash drive may be configured to receive firmware upgrades. Morespecifically, the flash drive may be configured to download new firmwarewhile in idle mode, including over the air. In one exampleimplementation the flash drive can receive firmware through one or moreof the USB, SATA, PCI-Express, WiFi, WiGig or Bluetooth.

In another possible implementation of the present invention, a wirelessdata storage device is provided including: a) a CPU block containing acontroller; b) a wireless transceiver; c) a power module; d) one or moreflash memory; and e) one or more antenna; wherein the CPU and one ormore flash memory are integrated into one single chip.

In another aspect, the CPU block communicates with the wirelesstransceiver using a bus interface.

In another possible implementation, the wireless transceiver and thepower module may also be integrated to a single chip.

In another possible implementation, the single chip integrates theelectronic switch described above.

In another aspect, the power module recharges the rechargeable battery.In another aspect, the power module recharges the battery when thewireless data storage device is powered by the USB host.

In another aspect, the wireless data storage device of the presentinvention includes one or more antenna.

In another aspect of the invention, the data storage device may includea wireless interface such WiFi, Bluetooth, WiGig, proprietary high speedwireless interface.

The data storage device, in one aspect, does not require proprietarysoftware on the host device.

The data storage device, in one aspect, includes a GPS module.

The data storage devices, in one aspect, includes a cellular module. Thedata storage drive, in at least one embodiment is a module.

The data storage devices, in one aspect, consists of a plug-in device.

The data storage device, in one aspect, is implemented as a board.

In one embodiment of the invention, the device is configured as a moduleor a board embedded in an electronic device.

In another aspect, the data storage device contains at least oneinterface such as PCMCIA, CardBus, SPI, IEEE 1394, I2C, Ethernet,Thunderbolt, WiFi, Bluetooth, and other interfaces known to thoseskilled in the art. The module or board may then be used within new orexisting hardware devices to add additional storage and capabilities.

Embodiments of systems for secure storage comprising a WSDSDinteroperating with a cloud server will now be described.

In an aspect of the invention, a cloud management server (or “CloudServer”) may be provided for providing one or more services for managingfunctions related to the data storage device. For example, the cloudmanagement server may include or be associated with programming for (A)assigning one or more users per data storage device, or (B) assigninguser access privileges at a file, folder or partition level, includingassociated encryption or authentication, as further described below.

The wireless communication features of the wireless secure data storagedevice described previously may be used to enable wirelesscommunications between the wireless secure data storage device and thecloud management server directly, without the need for an intermediarycommunication device.

The wireless secure communication device in combination with the cloudmanagement server enables a number of different innovative solutions anduse cases further described below.

The cloud management server may be used for example to configure thewireless secure data storage device to (A) define different securefiles, folders, or partitions, where (B) optionally different encryptionmay be associated with certain of such files, folders, or partitions.For example, the cloud management server may define selective encryptionfor one or more of such files, folders, or partitions, or in fact fieldlevel encryption if this is required.

Also, given the wireless features of the wireless secure data storagedevice described, configuration of such files, folders, or partitions,and the associate security features including encryption, may beconfigured or reconfigured on a wireless basis, without the need toconnect to a computer. This provides flexibility in enabling frequentupdates to security measures, which itself improves security. Also,security can be managed as between the data storage device and the cloudserver (which itself is secure), without the need to access anothercomputer, whose security may be compromised.

The cloud management server enables an administrator, by logging into asecure server, to manage efficiently a plurality of wireless secure datastorage devices of the present invention, without compromising thesecurity of the solution.

In addition, the cloud management server may enable: assigning users foreach device; assigning access privileges to users at a file, folder orpartition level with encryption type and authentication; determininglast location known; execute functions including a) format/erase, b)partition data, c) restrict formatting the file system from the OS, d)configure the data storage device to work in a network, e) once devicesare connected together an aggregation of their respective file systemscan be shown in an aggregated view presented by the cloud managementserver, that also allows users to access all files linked to all of theconnected devices.

Embodiments will now be described for unlocking the WSDSD based on alocational indication, as will be described below in additional detailwith reference to the drawings.

The wireless secure data storage device of the present invention mayinclude a cellular component and also optionally a GPS module. Thisenables embodiments of the wireless secure data storage device that areconfigured to unlocked/lock based on location. The location could be aproximity of another wireless device such as the host device (smartphone, tablet, another USB), multiple wireless devices or GPScoordinates.

In one possible implementation, a wireless secure data storage deviceincluding a proximity sensor may be unlocked automatically when a hostdevice is determined based on wireless proximity sensing to be within aspecific range, and conversely the wireless secure data storage devicemay be locked when a host device is determined based on wirelessproximity sensing not to be within a specific range.

In one implementation, the device acts as a proximity sensor, and theproprietary program includes computer instructions for providingenhanced security based on proximity to one or more devices.

In one example, the device transmits a communication to one or moreother devices indicating that the data storage device is withinproximity, which communication may include information from which thelocation or approximate location for the device may be determined. Asmart phone for example receives this communication and can establish anapproximate distance between the smart phone and the data storagedevice. This approach has a number of possible advantages. When a userleaves the data storage device behind (implemented for example as aUSB), an associated smart phone can remind the user that they left itbehind. This would reduce the chance of losing USBs, which may result inthe loss of important information.

In another possible implementation, when a data storage device is lost(implemented for example as a USB), one or more smart phones in the areamay pick up a broadcast and notify the cloud management server. Thecloud management server could then provide a notification to the ownerof the lost USB with information for retrieving the data storage device,including for example its approximate location. Alternately, in suchembodiments, once lost the device may itself connect to the cloudmanagement server to send a notification indicating that it has becomelost.

In one aspect of the invention, a data storage device includes a filestorage system and a CPU, and the CPU is configured to authenticate anexternal wireless device and allow the external wireless device tounlock access to the file storage system.

Other aspects of the invention will now be briefly described.

The invention may use one or more layers of security to reduce the riskof intrusion. Some of these security protocols may consist of one ormore of the following: a session key, a certificate, a password, voicerecognition, face recognition, pattern recognition, a fingerprintscanner, an iris scanner, a specific hardware host, a hardware key,multiple users, and proximity to a specific smart device or a specificgeo location to gain access to the data storage device of the invention.

The wireless secure data storage device of the invention may beimplemented as a USB drive incorporating Bluetooth functionality. It mayalso be used to provide improved security to solid state drives (SSD) ortypical spin hard drives (HDD).

The device may be configured to be unlocked/locked based on location.The location could be a proximity of another wireless device (smartphone, tablet, another USB), multiple wireless devices or GPScoordinates. This allows the definition of location based rules formanaging security of the wireless data storage device. For example, auser may want the device to unlock automatically within a trustedenvironment such as the user's house. However, if the wireless datastorage device is accessed elsewhere, the device may be locked bydefault until someone authenticates with the device to unlock it.

In another aspect, the device may include a cellular modem andoptionally a battery to provide tracking capability and connectivity toa cloud server independent of any associated device. This enables notonly tracking for example of a drive including sensitive information forrecovery, but also provides connectivity to the cloud management serverfor erasing of data or selected data from the drive. These features willoperate independent of the operating system, which will avoidcircumvention by initiating for example erase functions via theoperating system.

In one aspect of the invention, one or more of the devices described inthis disclosure may form a wireless network. The nodes within thewireless network may act as a wireless RAID file system with the optionof different encryption and credentials on each node. Devices within thenetwork may transfer files between each other, a smart device or to acloud server. The network may also be used to increase capacity,increase read and write performance known as RAID 0. Other RAID formatsmay also be configured between the devices such as RAID 1 which allowsdata mirroring, or other more complex RAID formats which may combine amix between redundant data and increased throughput. Nodes within thewireless network may also be configured as individual file systems.Proprietary software may aggregate all the content into one view withthe capability of file manipulation including but not limited to stream,copy, delete, read and rename.

Illustrative examples of use of embodiments of the WSDSD will now bedescribed.

The WSDSD device may be implemented as a USB flash drive, which mayinclude LED lights to indicate one or more operating modes of the flashdrive. The USB flash drive may be inserted into a USB host. If the USBflash drive is in a “locked” position then a particular light indicatormay be initiated such as “RED”. This may suggest that one or more of thesecurity features of the device (as described) may be locked, and needto be unlocked. For example a host device must be brought into proximityof the USB, or wireless authentication using a host device needs to beinitiated. Once the USB flash drive is “unlocked”, the light indicatormay change for example to “GREEN” and now the USB flash drive may beused as a regular data storage device.

In one example, the device acts as a wireless secure key to unlock otherwireless devices within proximity when the device is authenticatedsuccessfully by the user. Such other devices could be a wireless lock onyour home door, a car door, engine start/stop or any other device withwireless capabilities that requires security. The advantage of thiswould be two fold, one the user needs to be within at most 30 feet ofthe device and two the wireless secure key would need to be unlocked bythe user using Bluetooth to initiate unlocking of any other devices.

In another example, the device can be used as a proximity parentalcontrol device. With additional software on the host device, parentalcontrols may be enabled on the computer such that children cannot accessvarious features on the OS. Once the parent arrives home, theyauthenticate with the wireless key, upon unlocking the device the OSautomatically recognizes the device as a parental control key andremoves parental controls from the host device.

In an implementation of the invention, where a wireless secure datastorage device is used in connection with a cloud server, the solutionmay require: (A) a user to define credentials for authenticating to thecloud server; (B) the user using the credentials for accessing variousfeatures for managing his/her wireless secure data storage device,including for example (i) confirming status of the device (whetherlocked or unlocked), (ii) status of available wireless connectivity tothe data storage device, (iii) defining parameters of the host device,(iv) status of the host device such as proximity to the data storagedevice, (v) defining parameters for geolocation features, (vi) managingevents such as a lost or stolen data storage device.

In one possible implementation, a data storage device of the inventionmay be unlocked by (A) a user signing into the cloud server, and (B) thecloud server initiating the unlocking of the data storage device on awireless basis, whether based on authentication of the data storagedevice to the cloud server, or the cloud server initiating theauthentication of a host device to the data storage device.

In the following, various embodiments of the WSDSD as well as associatedsystems and methods will be described with reference to the drawings.

Shown in FIG. 1A is a diagram illustrating a possible embodiment of aWSDSD.

WSDSD 100 contains one or more data transfer interfaces that providefile storage and transfer capabilities when wired or wirelessly (via thewireless communication component) connected to a computing device. WSDSD100 can act as a file storage device over the one or more interfaces,which may comprise USB 102, SATA 111, PCI-Express 114 or otherinterfaces known to those skilled in the art, including PCMCIA, CardBus,SPI IEEE 1394, I2C, Ethernet, Thunderbolt, WiFi, WiGig, Bluetooth, andSerial.

Bus interface 109 shown in FIG. 1A provides a method of communicationknown to those skilled in the art, including but not limited to GPIO,SPI, I2C, One-wire, Parallel and Serial between internal components,102, 103, 104, 105, 106, 111 and 114.

A processing unit, comprising the CPU 106, performs calculations, hoststhe application programming interface (API) and provides the firmware tocommunicate with the radio transceiver 107. The CPU enables the WSDSD tointeract via the wireless communication component and it furtherperforms the encryption/decryption for messages sent and received fromthe host devices (or other devices). The CPU may further be configuredto match received authentication data against a stored secret key. TheCPU is further configured to interact with other devices and chipcomponents, in particular the electronic switch to open or close accessto the data stores. In various embodiments, data in memory may furtherbe stored in encrypted format and may be decrypted by the CPU (or datacontroller 104) during read/write operations.

Data controller 104 can be associated with one or more memory datastores 105 to provide faster read/write speeds or extended file storagecapacity. The controller is a dedicated CPU to handle high speed databetween the USB or other interface(s) and the memory interface (datastores). The controller sometimes may have data encryption anddecryption features built-in so that this can be accomplished on the flywith the data stores. If the controller has encryption/decryptioncapabilities it may only manage the data in the data stores rather thanalso authenticate the user.

In some embodiments, a separate CPU and data store controller are notincluded, and a single CPU block performs all encryption/decryptionoperations of the user and messages, as well as controlling access tothe data. The term processing unit is thus used herein to generallyrefer to the CPU and data controller which may in some embodimentscomprise one or more separate CPUs.

Electronic Switch 103 is coupled with the CPU 106 and can enable ordisable access to the file storage system. More particularly, theelectronic switch 103 opens and closes the state of pins (e.g. using aGPIO, bus interface 109) connecting the external interface (USB,PCI-express, etc) to the controller (or CPU, if no separate controlleris included). Without a physical connection to the controller it isdifficult to gain access to the memory (data stores), particularly inthe embodiments as described in reference to FIG. 1B below wherecomponents are embodied into a single integrated circuit chip. Intraditional methods, the controller has encryption/decryption built-inand the security is solely reliant on the basis that even if a malicioususer gained access to data stores it wouldn't be able to decrypt thedata without the user's password. Methods such as maximum number oftries after which the controller erases decryption key have beenimplemented to stop tampering, but these do not prevent the malicioususer from doing a brute force attack or accessing and cloning thememory.

The device comprises one or more wireless communication components tocommunicate wirelessly, including in order to receive authenticationdata. The wireless communication component comprises a radio transceiver107 to communicate over one or more wireless protocols such asBluetooth, WiFi, WiGig or other protocols known to those skilled in theart, including Zigbee, RF4CE, Thread, 6LoWPAN or IEEE 802.15.4protocols. One or more antenna 110 may be connected to radio transceiver107. Where the one or more data transfer interfaces for the data storesare wireless, the data transfer interfaces utilize the hardware of thewireless communication component for communication.

Power module 108 controls the voltages provided to the variouscomponents 103, 104, 105, 106 and 107.

Referring to FIG. 1B, an implementation of the WSDSD 100 is illustratedwhich includes the CPU, controller and memory (as described inconnection with FIG. 1A for example) embodied into a single integratedcircuit chip 120. In various embodiments, internal components of theWSDSD are provided in single IC to prevent tampering, e.g. cloning ofthe memory by directly accessing it to enable a brute force hackingattempt. Moreover, in such embodiments, it becomes difficult to ‘skip’the electronic switch and connect the controller and the one or moredata stores in order to directly access the memory.

FIG. 1C, shows a WSDSD further comprising a rechargeable battery 112connected to power module 108, having the ability to charge the batterywhen the WSDSD 100 is connected to a power source.

FIG. 1D illustrates a design for the WSDSD based on the invention whichincludes the CPU, controller, memory, power module and radio transceiverembodied within a single chip 130.

FIG. 1E, illustrates a design of the WSDSD 100 based on the presentinvention, including the functionality of the design shown in FIG. 1C,plus including a cellular module as previously described. Cell module118 can be provided to connect to one or more cellular networks whichmay include 5G, CDMA, LTE, UMTS, GSM, HSDPA, HSUPA, HSPA+, TD-SCDMA,WiMAX or other cellular networks types known to those skilled in theart. The cellular module 118 may be used to transfer information fromthe WSDSD 100 directly to the Cloud Server 202 without requiring anexternal host or operating system.

The block diagram of FIG. 1E also shows a GPS module 116 used forgeolocation tracking of the WSDSD 100 anywhere in the world. The GPSmodule 116 may be capable of using one or more satellite technologiesincluding but not limited to GNSS, GPS, GLONASS, Galileo, IRNSS andBeiDou. The GPS module 116 in combination with the cellular module 118,can notify the Enterprise Solution Manager System (“ESMS”) 210 of theexact position of the wireless secure data storage device. Further,included is an inertial measurement unit (IMU) 122, this can consist ofone or all of the following, accelerometer, gyroscope or magnetometer.The IMU can be configured in such a manner that any movement to theWSDSD 100 will trigger an unauthorized movement event. Events areconfigured in the ESMS 210 to perform one or more actions which include,but is not limited to email notification, disabling the device, formatthe device and enable geolocation tracking.

FIG. 2 illustrates an example system for secure storage comprising aWSDSD 100 interoperating with a cloud server 202 and a smart device(“SD”) 206. Particularly, FIG. 2 illustrates certain features of theCloud Server 202, and also possible implementations for the CloudServer, as previously described in brief.

Cloud Server 202 may be implemented as an Enterprise Solution ManagerSystem (“ESMS”) 210. The ESMS 210 contains all the security andconfiguration settings that are uploaded to the WSDSD 100. One or moreadministrators may allocate the authority to assign access to users thatultimately use the WSDSD 100. The features within ESMS 210 may range forexample from granting security access to users, setting beaconintervals, RAID (Redundant Array of Independent Disks), encryption type,network devices, proximity based security settings, parameters formarking a device as lost or stolen, rules for defining actions or eventsrelated to security, usability and accessibility.

Block 204 may consist of one or more applications that process,transform or execute requests from ESMS 210 to the Database 212.

The Database 212 may store various information pertaining to users,administrators and configurations for the various WSDSD 100.

In one aspect of the invention, Cloud Server 202 may be configured sothat access privileges may be granted to users at the file, folder andpartition levels. Each file, folder or partition may have differentauthentication protocols or cryptography methods used such as AES 256,RSA, DSA, password or other secure methods or algorithms known to thoseskilled in the art. This allows individuals and companies to have fullcontrol of the granularity of security on the device.

Administrators may also configure the WSDSD 100 using the Cloud Server202 to require more than one user to wirelessly authenticate with thedevice to unlock access to the file storage system. For example, usingthe ESMS 210, an administrator may create new or hidden partitions onthe WSDSD 100 file system that only specific users may view and access.Using the same method, the device can be configured in such a way thatthe file system cannot be erased using any operating system such asWindows, Unix, OS X, Android, iOS and other similar systems known tothose skilled in the art. Further, in some embodiments, after aconfigured amount of unauthorized attempts or if the device is set aslost or stolen within ESMS 210, the device can perform several taskssuch as wipe the file system at the bit level, erase the index sectors,create a new partition and set the old partition as hidden, or otherfeatures as set out in the ESMS 210 settings. Once the device is markedas lost or stolen, the WSDSD 100 may try to initiate a secure outboundconnection to an external file server. Once a secure connection isestablished, the device will start uploading the contents of the filestorage system to the external file server.

FIG. 2 shows additionally a SD 206 which may be provided based on theinvention. A Smart Device (SD) consists of any host device that isconfigured to access the Cloud Server 202, such as a mobile device,notebook, desktop computer, tablet computer, while also being capable ofwirelessly authenticating a user to the WSDSD 100. In the case that theWSDSD 101 contains a cellular module, it may communicate directly to theCloud Server 202 by establishing a secured connection and authenticatingdirectly with the ESMS 210 without requiring an additional Smart Device.

The SD 206 may connect with the WSDSD along certain wirelesscommunication channels for authentication and file transfer, and mayfurther communicate through a cellular channel with the ESMS 210. The SD206 could alternately connect with the WSDSD using a wired interface forfile transfer while connecting wirelessly for authentication.

The SD 206 may communicate with the ESMS 210, receive (or upload)updated configuration settings for the WASDSD 100, and provide the newconfiguration settings to the WASDSD 100. The cellular connection of theSD 206 may thus be of use to enable receipt of configuration settingsfrom the ESMS 210 to the WASDSD.

In some embodiments, the WSDSD 101 includes its own cellularcommunications module, such that it can directly connect to the server202 to receive configuration settings without relying on the smartdevice. The WSDSD can then download configuration data and sync fileswith the ESMS (“cloud drive”) without the need of an externalconnection. As an example, in the event a user marks the WSDSD as “lost”at the ESMS and the WSDSD downloads this information, it can lock thedata store indefinitely. The cellular communications module may also beused to locate the WSDSD based on cell tower triangulation, or otherfeatures.

In a possible implementation of the illustrated system, WSDSD 100requires wireless authentication to enable access to the file storagesystem in memory. The particular authentication method may be changed byeither the ESMS 210 or a SD 206 capable of authenticating with thedevice. In one case a SD 206 includes proprietary software (aspreviously described) required to connect to the WSDSD 100 and start theauthentication protocol. The authentication protocol may require one ormore of a session key, certificate, password, voice recognition, facerecognition, pattern recognition, fingerprint scanner, iris scannerand/or other security measure known to those skilled in the art. Inanother case the WSDSD 100, can be unlocked by a Hardware Key Protocol(“HKP”) 300 as described below.

Alternatively, the device 100 may be unlocked by being within theproximity to one or more SD 206. Further, the security layer may includea notion of geolocation configured through the ESMS 210. Geolocationinformation for the WSDS 100 may be obtained from the SD 206 using thebuilt-in Global Positioning System (“GPS”), cellular triangulation, LEDbased indoor location detection technology, ultrasound beacon, iBeaconor other location systems known to those skilled in the art. In somecases, geolocation can be obtained by using wireless triangulation froma set of WSDSD 100 or a set of SD 206 that are configured to wirelesslybroadcast their location. WSDSD 100 may include for example a built-inGPS or cellular module that may have the ability to obtain thegeolocation from the built in hardware and cellular triangulation. TheWSDSD 100, may store the allowed geolocation information within theinternal memory or alternatively can query the ESMS 210 to obtain thegeolocation information which allows the device to unlock when the userenters that area. Examples of configurable geolocation features includelocking, unlocking, quick format and bit level format. This providesadditional security where there is a requirement that data only beaccessed from a specific location.

The WSDSD 100, may be configured to authenticate when a specificinterface host ID is identified, such as a USB host ID, or any otherinterface described in this invention. Authentication for the WSDSD 100may consist of one or more methodologies mentioned or similar techniques

WSDSD 100 can be implemented as module, board or plug-in device. WSDSD100 can be used in existing or newly designed devices to provide asecure file storage system and additional functionality.

As previously stated, WSDSD 100 (in accordance with one or more of theimplementations described) may not require proprietary software (forexample to unlock the WSDSD 100) when connected via USB 102, SATA 111,PCI-Express 114 to a host device containing an operating systemincluding but not limited to Windows, Linux, Unix, Android, iOS or othersystems known to those skilled in the art, containing generic driversfor data storage drives.

In one possible implementation of the invention, the WSDSD 100 containsa unique identification serial number for the wireless interface used toidentify the device. The serial number is programmed at the manufacturerand cannot be altered. In some particular instances, the serial numbermay be reprogrammed by using an interface communicating with the API ora firmware update.

In one possible implementation, WSDSD 100 turns into a proximity beaconwhen in idle mode, broadcasting its serial number at regular or variableintervals. The term “idle” may refer to when the WSDSD 100 is notreading or writing to the memory or is in a wireless configuration mode.In some cases the serial number is encrypted and can only be decryptedby a SD 206 connected to ESMS 210. In another case the serial numberbroadcast is not encrypted and is used for location tracking. When theSD 206 goes out of range of the proximity beacon, the application mayremind the user that they may have left the WSDSD 100 unintentionally.In wireless configuration mode, SD 206 capable of interfacing with thedevice can read or write settings stored on the WSDSD 100.

WSDSD 100 may be configured to actively check for new firmware versionswhen connected to interfaces such as USB 102, SATA 111, PCI-Express 114,or other said interfaces. The device will only download and install newfirmware when in idle mode.

WSDSD 100 may be configured in such a way that the file storage systemis encrypted. The CPU 106 or alternatively the controller 104 encryptsand decrypts information from one or more interfaces including but notlimited to USB 102, SATA 111, PCI-Express 114 during read/writeoperations. The file storage system can be encrypted for example withAES 128 bit, 256 bit, or other secure encryption algorithms known tothose skilled in the art.

Referring now to FIG. 3, shown therein is a method 250 of wirelesslyauthenticating a user to a WSDSD, such as the WSDSD 100, for permittingaccess to the files secured thereupon.

Block 252 comprises wirelessly connecting a host device (such as a smartdevice 206) to the WSDSD for commencing an authentication protocol.

Block 254 comprises receiving from the host device, by the wirelesscommunication component of the WSDSD, authentication data to beauthenticated. The authentication data comprises data to be matchedagainst a stored secret key. The secret key may relate to a session key,certificate, user password, voice recognition information, facerecognition information, pattern recognition, fingerprint scanner,and/or iris scanner information. The secret key may comprise such dataconverted to an alphanumeric form (whether the conversion occurs at thehost device or at the WSDSD). The secret key may further include datarelating to the host device, e.g. device identification IDs or interfaceIDs. In many embodiments the secret key is encrypted using the WSDSD'spublic key.

Block 256 comprises matching, by a processing unit of the WSDSD, theauthentication data against a stored secret key to authenticate theuser.

At block 258, once the authentication data is confirmed to match thesecret key, the processing unit communicates a signal to the electronicswitch to provide access to its file store.

At block 260, the electronic switch of the WSDSD enters an open state,permitting access to the locally stored files through the interface to aconnected device (whether wired or wirelessly). For example, at thisblock the electronic switch may unlock a pin of an interface connectedto the WSDSD' data stores.

Referring to FIG. 4, the Hardware Key Protocol (“HKP”) 300, consists ofa CPU 310 capable of real-time encryption and decryption ofcryptographic algorithms. The HKP consists of at least two interfaces,one inbound and another outbound interface. The inbound and outboundinterfaces may include USB 302, SATA 304, SPI 306, Thunderbolt 308, orother interfaces known to those skilled in the art. The inboundinterface connects to the WSDSD 100, and the outbound interface connectsto the host device. A separate bus interface 312 for the wireless radiotransceiver 314 with one or more antenna 316 may be used for anadditional security layer. The wireless radio is capable of Bluetoothcommunication used for authentication. The HKP 300 CPU 310 can interpretone or more authentication protocols, including proprietarycryptographic algorithms for highly sensitive data.

Shown in FIG. 5, is a block diagram of a system for secure storage. Thesystem comprises a multiple WSDSD 100 that can form a network. Thedevices within the network are specified by either the ESMS 210 or a SD206. Once a Secure Wireless Connection 404 is established, the nodes cansecurely move information between each other. A “Node” refers to a WSDSD100 within a network. Nodes may be setup using ESMS 210 as RAID devices.Files stored in RAID format may be split into sequences and stored insome or all the linked nodes within a network and each node and sequencemay have a separate encryption method. In the situation that a malicioususer succeeds to obtain the files from one or more nodes within thenetwork, the files remain incomplete until all the nodes within thenetwork are compromised. The fragmented file system will increase theread and write performance of the stored data as well as significantlyimprove the security of the information stored on the WSDSD 100. Thedevices within the network may move files between each other at set orvariable times using continuously changing encryption key known only tothe network nodes and the ESMS 210 or other continuously changingcryptographic algorithms known to those skilled in the art. Thismethodology will enhance the security of the file system. The challengefor the intruder is to locate a continuously moving file at a given timeas well as finding the correct decryption key during that same period.In some cases where the WSDSD 100 also contains a cellular module 118, aSD 206 is not required for the nodes to communicate with the ESMS 210.In all of the above network formations the SD 206 has a single view ofthe file system to simplify file management and transfer. In some cases,each WSDSD 100 found within the network maintains its own file system.In such a configuration, the SD 206 or alternatively the WSDSD 100 canaggregate all the file systems within the network into one view usingproprietary software on the SD 206 or host system and perform regulartasks such as read, write and other file manipulations known to thoseskilled in the art. One such example would be to connect one WSDSD 100to a TV and another WSDSD 100 be connected to a desktop. The WSDSD 100connected to the desktop may contain multimedia content such as movies,audio or pictures. The multimedia content can now be directly accessedvia the TVs WSDSD 100. In the event that a user has multiple WSDSD 100with multimedia content stored, the devices may be setup to form anetwork. Once a network is formed the user may access all the multimediacontent in one unified view and stream it to the TV without requiringany knowledge of home networking.

In one embodiment of the WSDSD 100, the device may form a secureconnection to a SD 206 or to another WSDSD 100. Once the connection isestablished one or more files may be transferred. The SD 206 can alsoinitiate a clone request triggering the WSDSD 100 to transfer the filesystem at the bit level creating an exact replica.

In one possible implementation of the invention, a device of the presentinvention enables wireless RAID functionality, where the wireless RAIDfunctions as a secure file system that does not need to always beconnected to a host system (based on the security features discussedpreviously). As a result, even if the file system is disconnected withthe host system or the host system is compromised, the secure filesystem includes additional security. This particular implementationenables a solution that includes desirable capacity, performance andsecurity characteristics.

The embodiments of the devices, systems and methods described herein maybe implemented in a combination of both hardware and software. Theseembodiments may be implemented on programmable computers, each computerincluding at least one processor, a data storage system (includingvolatile memory or non-volatile memory or other data storage elements ora combination thereof), and at least one communication interface.

Program code is applied to input data to perform the functions describedherein and to generate output information. The output information isapplied to one or more output devices. In some embodiments, thecommunication interface may be a network communication interface. Inembodiments in which elements may be combined, the communicationinterface may be a software communication interface, such as those forinter-process communication. In still other embodiments, there may be acombination of communication interfaces implemented as hardware,software, and combination thereof.

Throughout the foregoing discussion, numerous references will be maderegarding servers, services, interfaces, portals, platforms, or othersystems formed from computing devices. It should be appreciated that theuse of such terms is deemed to represent one or more computing deviceshaving at least one processor configured to execute softwareinstructions stored on a computer readable tangible, non-transitorymedium. For example, a server can include one or more computersoperating as a web server, database server, or other type of computerserver in a manner to fulfill described roles, responsibilities, orfunctions.

Although the embodiments have been described in detail, it should beunderstood that various changes, substitutions and alterations can bemade herein without departing from the scope as defined by the appendedclaims.

Although the invention has been described with reference to certainspecific embodiments, various modifications thereof will be apparent tothose skilled in the art without departing from the spirit and scope ofthe invention as outlined in the claims appended hereto.

The entire disclosures of all references recited above are incorporatedherein by reference.

1. A wireless secure data storage device comprising: a data storeconnected to one or more interfaces for transferring data from the datastore; a processing unit; an electronic switch; one or more wirelesscommunication components coupled to the processing unit forcommunicating with a host device for obtaining authentication data; anda location sensor for determining the location of the wireless securedata storage device based on an additional device; wherein theelectronic switch and the processing unit cooperate to switch the devicebetween a closed state, where data cannot be accessed from the datastore through the one or more interfaces, to an open state, where datacan be accessed from the data store through the one or more interfaces,upon the processing unit matching obtained authentication data to astored secret key and the location sensor determining that the wirelesssecure data storage device is within a predetermined range.
 2. Thewireless secure data storage device of claim 1, wherein the additionaldevice is the host device and the predetermined range is a predeterminedproximity to the host device.
 3. The wireless secure data storage deviceof claim 1, wherein the additional device comprises GPS transmittingdevices and the predetermined range is range surrounding an absolutelocation.
 4. The wireless secure data storage device of claim 1, whereinthe additional device is multiple wireless devices.
 5. The wirelesssecure data storage device of claim 1, wherein the wireless secure datastorage device communicates its location with the additional deice todetermine whether it is within the predetermined range.
 6. The wirelesssecure data storage device of claim 1, wherein the electronic switch andthe processing unit cooperate to switch the device from the open stateto the closed state upon determining that the wireless secure datastorage device has moved outside of the predetermined range.
 7. Thewireless secure data storage device of claim 6, wherein the additionaldevice is a mobile phone with means for alerting a user of the mobilephone that wireless secure data storage device has moved to outside ofthe predetermined range.
 8. The wireless secure data storage device ofclaim 6, wherein the additional device is a mobile phone with means foralerting a user of the mobile phone that wireless secure data storagedevice has moved to outside of the predetermined range and providing theuser with the location of the wireless secure data storage device. 9.The wireless secure data storage device of claim 1, wherein the locationsensor is implemented by monitoring signal strength of the one or morewireless communications components and the predetermined range isdetermined based on the signal strength meeting a predeterminedthreshold.
 10. A method of authenticating a user to a wireless securedata storage device comprising a data store connected to one or moreinterfaces, a processing unit, an electronic switch, one or morewireless communication components coupled to the processing unit, and alocation sensor for determining the location of the wireless secure datastorage device based on an additional device, the method comprising:obtaining, by the one or more wireless communication components,authentication data from a host device; matching, by the processingunit, the authentication data to a stored secret key; determining, bythe location sensor, that the wireless secure data storage device iswithin a predetermined range; and switching, by the processing unit andthe electronic switch, the device from a closed state, where data cannotbe accessed from the data store through the one or more interfaces, toan open state, where data can be accessed from the data store throughthe one or more interfaces.
 11. The method of claim 10, wherein theadditional device is the host device and the predetermined range is apredetermined proximity to the host device.
 12. The method of claim 10,wherein the additional device comprises GPS transmitting devices and thepredetermined range is range surrounding an absolute location.
 13. Themethod of claim 10, wherein the additional device is multiple wirelessdevices.
 14. The method of claim 10, wherein the wireless secure datastorage device communicates its location with the additional deice todetermine whether it is within the predetermined range.
 15. The methodof claim 10, wherein the electronic switch and the processing unitcooperate to switch the device from the open state to the closed stateupon determining that the wireless secure data storage device has movedoutside of the predetermined range.
 16. The method of claim 10, whereinthe additional device is a mobile phone with means for alerting a userof the mobile phone that wireless secure data storage device has movedto outside of the predetermined range.
 17. The method of claim 10,wherein the additional device is a mobile phone with means for alertinga user of the mobile phone that wireless secure data storage device hasmoved to outside of the predetermined range and providing the user withthe location of the wireless secure data storage device.
 18. The methodof claim 10, wherein the location sensor is implemented by monitoringsignal strength of the one or more wireless communications componentsand the predetermined range is determined based on the signal strengthmeeting a predetermined threshold.